Check Point Research reports new surge in attacks using the Phorpiex Botnet delivering the Avaddon ransomware in malicious spam campaigns

Our latest Global Threat Index for November 2020 has revealed that there has been a new surge in infections by the well-known Phorpiex botnet which has made it the month’s most prevalent malware, impacting 4% of organizations globally.  Phorpiex was last seen in the Threat Index’s top 10 in June this year.

The Phorpiex botnet was first reported in 2010, and at its peak controlled more than a million infected hosts. Known for distributing other malware families via spam as well as fueling large-scale “sextortion” spam campaigns and cryptomining, Phorpiex has again been distributing the Avaddon ransomware, as Check Point researchers originally reported earlier this year. Avaddon is a relatively new Ransomware-as-a-Service (RaaS) variant, and its operators have again been recruiting affiliates to distribute the ransomware for a cut of the profits. Avaddon has been distributed via JS and Excel files as part of malspam campaigns and is able to encrypt a wide range of file types.

Phorpiex is one of the oldest and most persistent botnets, and has been used by its creators for many years to distribute other malware payloads such as GandCrab and Avaddon ransomware, or for sextortion scams. Check Point Researchers warn that this new wave of infections is now spreading another ransomware campaign, which shows just how effective a tool Phorpiex is. Check Point urges organizations to educate employees about how to identify potential malspam and to be wary of opening unknown attachments in emails, even if they appear to come from a trusted source. Organizations should also ensure they deploy security that actively prevents them from infecting their networks.

The research team also warns that “HTTP Headers Remote Code Execution (CVE-2020-13756)” is the most common exploited vulnerability, impacting 54% of organizations globally, followed by “MVPower DVR Remote Code Execution” impacted 48% of organizations worldwide and “Dasan GPON Router Authentication Bypass (CVE-2018-10561) impacted 44% of organizations globally.

Top malware families

*The arrows relate to the change in rank compared to the previous month.

This month, Phorpiex is the most popular malware with a global impact of 4% of organizations, closely followed by Dridex and Hiddad which both impacted 3% of organizations worldwide.

  1. ↑ Phorpiex – Phorpiex is a botnet known for distributing other malware families via spam campaigns as well as fueling large scale Sextortion campaigns.
  2. ↑ Dridex – Dridex is a Trojan that targets the Windows platform and is reportedly downloaded via a spam email attachment. Dridex contacts a remote server and sends information about the infected system. It can also download and execute arbitrary modules received from the remote server.
  3. Hiddad – Hiddad is an Android malware infection which repackages legitimate mobile apps and then releases them to a third-party store. Its main function is to display ads, but it can also gain access to key security details built into the OS.
  1. ↔ Formbook – Formbook is an Info Stealer that harvests credentials from various web browsers, collects screenshots, monitors and logs keystrokes, and can download and execute files according to its C&C orders.
  2. ↓ Emotet – Emotet is an advanced, self-propagate and modular Trojan. Emotet once used to employ as a banking Trojan, and recently is used as a distributer to other malware or malicious campaigns. It uses multiple methods for maintaining persistence and evasion techniques to avoid detection. In addition, it can be spread through phishing spam emails containing malicious attachments or links.
  3. ↓ Trickbot – Trickbot is a dominant banking Trojan constantly being updated with new capabilities, features and distribution vectors. This enables Trickbot to be a flexible and customizable malware that can be distributed as part of multi purposed campaigns.
  1. ↔ XMRig – XMRig is an open-source CPU mining software used for the mining process of the Monero cryptocurrency, and first seen in-the-wild in May 2017.
  1. ↑ RigEk – RigEK delivers exploits for Flash, Java, Silverlight and Internet Explorer. The infection chain starts with a redirection to a landing page that contains JavaScript that checks for vulnerable plug-ins and delivers the exploit.
  2. ↓ Zloader – Zloade is a descendant of the ubiquitous Zeus banking malware which uses webinjects to steal credentials, passwords and cookies stores in web browsers, and other sensitive information from customers of banks and financial institutions. The malware lets attackers connect to the infected system through a virtual network computing client, so they can make fraudulent transactions from the user’s device.
  3. ↓ Qbot – Qbot is a banking Trojan that first appeared in 2008, designed to steal users banking credentials and keystrokes. Often distributed via spam email, Qbot employs several anti-VM, anti-debugging, and anti-sandbox techniques, to hinder analysis and evade detection.

Top exploited vulnerabilities

This month “HTTP Headers Remote Code Execution (CVE-2020-13756)” is the most common exploited vulnerability, impacting 54% of organizations globally, followed by “MVPower DVR Remote Code Execution” impacted 48% of organizations worldwide and “Dasan GPON Router Authentication Bypass (CVE-2018-10561) impacted 44% of organizations globally.

  1. HTTP Headers Remote Code Execution (CVE-2020-13756) – HTTP headers let the client and the server pass additional information with an HTTP request. A remote attacker may use a vulnerable HTTP Header to run arbitrary code on the victim machine.
  2. MVPower DVR Remote Code Execution – remote code execution vulnerability exists in MVPower DVR devices. A remote attacker can exploit this weakness to execute arbitrary code in the affected router via a crafted request.
  3. Dasan GPON Router Authentication Bypass (CVE-2018-10561) – An authentication bypass vulnerability that exists in Dasan GPON routers. Successful exploitation of this vulnerability would allow remote attackers to obtain sensitive information and gain unauthorized access into the affected system.
  4. ↑ Web Server Exposed Git Repository Information Disclosure- information disclosure vulnerability has been reported in Git Repository. Successful exploitation of this vulnerability could allow an unintentional disclosure of account information.
  5. ↑ Command Injection Over HTTP Payload (CVE-2013-6719; CVE-2013-6720) – A command Injection over HTTP payload vulnerability has been reported. A remote attacker can exploit this issue by sending a specially crafted request to the victim. Successful exploitation would allow an attacker to execute arbitrary code on the target machine.
  6. OpenSSL TLS DTLS Heartbeat Information Disclosure (CVE-2014-0160; CVE-2014-0346) – An information disclosure vulnerability exists in OpenSSL. The vulnerability is due to an error when handling TLS/DTLS heartbeat packets. An attacker can leverage this vulnerability to disclose memory contents of a connected client or server.
  7. Draytek Vigor Command Injection (CVE-2020-8515) – A command injection vulnerability exists in Draytek Vigor. Successful exploitation of this vulnerability could allow a remote attacker to execute arbitrary code on the affected system.
  8. ↔ SQL Injection (several techniques) – Inserting an injection of SQL query in input from client to application, while exploiting a security vulnerability in an application’s software.
  9. ↑ Command Injection Over HTTP – A command Injection over HTTP vulnerability has been reported. A remote attacker can exploit this issue by sending a specially crafted request to the victim. Successful exploitation would allow an attacker to execute arbitrary code on the target machine.
  10. WordPress portable-phpMyAdmin Plugin Authentication Bypass (CVE-2012-5469) – An authentication bypass vulnerability exists in WordPress portable-phpMyAdmin Plugin. Successful exploitation of this vulnerability would allow remote attackers to obtain sensitive information and gain unauthorized access into the affected system.

Top Mobile Malwares

This month Hiddad is the most prevalent Mobile malware, followed by xHelper and Lotoor.

  1. Hiddad – Hiddad is an Android malware which repackages legitimate apps and then releases them to a third-party store. Its main function is to display ads, but it can also gain access to key security details built into the OS.
  2. xHelper – xHelper is a malicious application seen in the wild since March 2019, used for downloading other malicious apps and display advertisement. The application can hide itself from the user, and reinstall itself in case it was uninstalled.
  3. Lotoor – Lotoor is a hack tool that exploits vulnerabilities on Android operating system in order to gain root privileges on compromised mobile devices.

You may also like